Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Customer’s emails sent to her acquaintance following a telecom employee’s attempt to fix a problem with the customer’s email service

PIPEDA Case Summary #2015-010

July 6, 2015

Lessons Learned

  • The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
  • Organizations should recognize their responsibility to provide accurate information to the Commissioner to ensure OPC investigations are concluded efficiently.

An individual was experiencing difficulties with the email service she received from her telecommunications ("telecom") provider. One difficulty was her inability to successfully send emails to an acquaintance.

She contacted the telecom provider and one of its technical support representatives (the "representative") got in touch with her. During a troubleshooting session, the individual provided her consent allowing the representative to remotely access her computer.

The representative then attempted to correct the individual's email problem by changing an option on her email application. However, unbeknownst to the individual, the change caused her emails to be automatically forwarded to the address of her acquaintance.

The individual also had a problem with her password. During the same troubleshooting session, the representative emailed her a temporary password.

After the session, the individual was surprised to learn from her acquaintance that she was now receiving emails sent by others to the individual, including the email containing her temporary password. The individual went back to the telecom provider, who assigned another representative to the matter. This representative dealt with the new problem by reversing the first representative's changes.

The individual then made a complaint against the telecom provider with our Office.

During our investigation, the telecom provider explained that the first representative had not followed its mandatory procedure for conducting troubleshooting calls, and should not have accessed the email forwarding settings in the individual's email application.

Based on the facts provided, we determined that there had been a disclosure of the individual's personal information without her consent as a result of the first representative's actions. Consequently, there was a contravention of Principle 4.3.

We received no evidence indicating that the events leading to this complaint were part of a systemic problem within the the telecom provider. However, it was seriously noted during our investigation that the telecom provider had misinformed us in several ways about measures it had ostensibly taken to prevent a recurrence of the disclosure.

The telecom provider initially informed us that it had:

  1. offered coaching for the first representative, who had a history of non-compliance;
  2. implemented progressive disciplinary measures for the first representative;
  3. terminated the first representative's employment; and
  4. sent a communiqué to the relevant technical support team about the importance of following the mandatory procedure.

Supporting documents we requested however did not corroborate the four claims made above.

  • For example, regarding employee coaching, the evidence demonstrated that the matter had only been brought to the attention of a senior manager, who never responded.
  • With respect to progressive disciplinary measures, the employee citation we received was not signed by anyone in authority and, moreover, covered a period outside the events in the complaint.
  • When pressed for evidence concerning the representative's dismissal, the telecom provider amended its original statement and submitted instead a copy of the representative's letter of resignation.
  • Lastly, the telecom provider was unable to prove to us that it had sent a special communiqué about procedures to its technical support team following this incident.

That said, our Office accepted that the the telecom provider did have certain measures in place to prevent a recurrence:

  1. employees sign a code of conduct agreeing to follow the mandatory procedure;
  2. there is normal coaching as part of the team lead/employee relationship;
  3. there is auditing of employee compliance with the mandatory procedure through various quality/coaching opportunities; and
  4. discipline is meted out to employees, as appropriate, when cases of misuse occur.

Therefore, based on the body of evidence we reviewed, we determined that the complaint was well-founded and resolved.

However, since we were concerned that the telecom provider had not exercised greater diligence prior to making factual representations to our Office, we encouraged the telecom provider to ensure that its representations are accurate and complete in the future.

Date modified: